The Verge, reporting that Microsoft lost almost a billion dollars with Surface RT, in this quarter alone. "At the end of the day, though, it looks like Microsoft just made too many Surface RT tablets - we heard late last year that Microsoft was building three to five million Surface RT tablets in the fourth quarter, and we also heard that Microsoft had only sold about one million of those tablets in March." That's catastrophically bad.

"Fine, you don't like it, you won't buy it. The first hundred times, and I'm being nice here, it might've been a productive discussion. But now what use does it serve, pat each other on the back and agree?"

That's your opinion, but it seems that you don't have much appreciation for the competitive harm caused by OS restrictions. Alternative operating systems make up a small percentage of the market, so not many are directly affected in absolute numbers. However it does negatively affect the majority of us who are in that group. Consider that it doesn't make sense to buy duplicate hardware just to be able to try/use an alternate OS when you own hardware that's perfectly capable of running it already (artificial restrictions aside).

I learned to use linux when I was in grade school because I was able to dual-boot it on my "windows computer". I even learned how to write my own OS on my commodity hardware because it didn't lock me out. I would not have been able to do so if I had needed to buy a separate computer in addition to my main desktop. Even today I have a windows/linux laptop because I still need to use windows for work and I still prefer windows for some things anyways. I don't want to purchase & carry around two separate laptops just because MS demanded windows-supported computer manufacturers into blocking alternatives.

These things may not matter to you or others who aren't alt-os users, but please do try to understand why a lot is at stake to those of us who are. I count our blessings that MS backed down on the x86 front, but now is the right time to fight these restrictions on ARM *before* they become permanently established as a norm.

I do definitely see your point, and I think we can find some common ground in agreeing that there is a need for some form of secure booting mechanism.

You think the knobs should be able to be turned on, and I (and this is something I've probably changed my mind on) would be inclined to agree after further investigation.

It would be of great benefit if the end user was ultimately in charge of which public keys (in addition to the default MSFT one) were stored on their machine.

From there they could accept signed images from their favorite distro and maintain the chain of trust all the way through.

Alternatively the secure mechanism should be switched out so the more technically inclined user could have their box the way they want it, security ramifications be damned. I definitely understand the culture in alternative OSes may even favor compilation over shipping signed binaries, at which point a secure booting mechanism is more of a hindrance.

I think the x86 implementation ticks all of these boxes (albeit with shoddy OEM implementations which scare me), but the ARM versions do not. This is something I think should change (and maybe we can agree here).

I probably came off as bitter initially for which I do apologize and I appreciate you taking the discussion in a productive direction.

I'm trilled at finding common ground here, yes I agree secure boot on x86 fills the most important needs of both windows and alt-os users. Also it would be great for all ARM manufacturers to adopted a fully standard (of course unrestricted) UEFI stack rather than the arbitrary mess of proprietary solutions existing now.

I was thinking of ideas to improve secure boot further: something along the lines of being able to install a new OS on an empty or hosed system without any local media by typing in an HTTPS url and performing the installation online, letting UEFI install the keys automatically. This way any OS vendor could provide install images online and their users would require nothing more than a simple url to start installing the OS and configure secure boot from scratch. This could all be behind a password protected administrative account within UEFI, with maybe a default password and/or reset mechanism to get in.

This would be a boon to the modding community. As you pointed out, the modding procedures on typical ARM systems are difficult, non-standard, error prone, risky, brickable, etc. If this were a standard UEFI feature then the steps to return a device to a known state would be: Enter UEFI, Locate HTTPS (re)install feature, type desired installation URL (or accept OEM default), wait for install to complete, done.